From 52476cff80a3356e490c8e33bcb36f55ae26370f Mon Sep 17 00:00:00 2001 From: Mauritz Uphoff Date: Fri, 26 Jun 2026 11:27:37 +0200 Subject: [PATCH 1/3] fix(trufflehog): ignore pg example connection string --- examples/terraform-pg-state-locking/00-bootstrap/040-output.tf | 2 +- .../terraform-pg-state-locking/01-example-project/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/terraform-pg-state-locking/00-bootstrap/040-output.tf b/examples/terraform-pg-state-locking/00-bootstrap/040-output.tf index f345841..9e0fa24 100644 --- a/examples/terraform-pg-state-locking/00-bootstrap/040-output.tf +++ b/examples/terraform-pg-state-locking/00-bootstrap/040-output.tf @@ -22,6 +22,6 @@ locals { output "pg_connection_uri" { description = "PostgreSQL Flex User Connection String" - value = "postgres://${local.pg_username}:${local.pg_password}@${local.pg_host}:${local.pg_port}/${local.pg_database}?sslmode=require" + value = "postgres://${local.pg_username}:${local.pg_password}@${local.pg_host}:${local.pg_port}/${local.pg_database}?sslmode=require" # trufflehog:ignore sensitive = true } diff --git a/examples/terraform-pg-state-locking/01-example-project/README.md b/examples/terraform-pg-state-locking/01-example-project/README.md index f1f211d..b9a7e75 100644 --- a/examples/terraform-pg-state-locking/01-example-project/README.md +++ b/examples/terraform-pg-state-locking/01-example-project/README.md @@ -7,7 +7,7 @@ This module contains the core infrastructure configuration. It uses the `pg` bac 1. Create a `backend.conf` file in this directory and define the connection string using the credentials generated by the bootstrap module: ```ini - conn_str = "postgres://tf_state_user:@:5432/terraform_state?sslmode=require" + conn_str = "postgres://tf_state_user:@:5432/terraform_state?sslmode=require" # trufflehog:ignore ``` 2. Initialize Terraform and bind it to the remote PostgreSQL backend -- 2.49.1 From 22ac855f6021ee275b2becacf9a4f385b2913123 Mon Sep 17 00:00:00 2001 From: Mauritz Uphoff Date: Fri, 26 Jun 2026 11:32:54 +0200 Subject: [PATCH 2/3] fix(tf-state readme): add warning for psql acl --- .../00-bootstrap/030-postgresql_flex.tf | 1 + examples/terraform-pg-state-locking/README.md | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/examples/terraform-pg-state-locking/00-bootstrap/030-postgresql_flex.tf b/examples/terraform-pg-state-locking/00-bootstrap/030-postgresql_flex.tf index 11e2c85..db499da 100644 --- a/examples/terraform-pg-state-locking/00-bootstrap/030-postgresql_flex.tf +++ b/examples/terraform-pg-state-locking/00-bootstrap/030-postgresql_flex.tf @@ -31,6 +31,7 @@ resource "stackit_postgresflex_instance" "this" { backup_schedule = "00 00 * * *" acl = [ + # WARNING: Open ACL is for development only. Restrict to your specific egress IP ranges in production. "0.0.0.0/0" ] diff --git a/examples/terraform-pg-state-locking/README.md b/examples/terraform-pg-state-locking/README.md index dc91fbe..721bd47 100644 --- a/examples/terraform-pg-state-locking/README.md +++ b/examples/terraform-pg-state-locking/README.md @@ -6,3 +6,7 @@ To resolve the circular dependency of provisioning a state backend using Terrafo 1. **`00-bootstrap/`**: Provisions the backend infrastructure (PostgreSQL Flex instance, database and service user). 2. **`01-example/`**: Represents the primary infrastructure, utilizing the provisioned PostgreSQL database as its remote backend. + +--- + +**⚠️ Security Notice:** The PostgreSQL Flex instance in `00-bootstrap/` is configured with an open ACL (`0.0.0.0/0`) for development convenience. Before deploying to production, restrict the ACL to your specific egress IP ranges to prevent the database from being accessible via the public internet. -- 2.49.1 From 038928da3c81c5880ecb4be852481dd1d7525c77 Mon Sep 17 00:00:00 2001 From: Tim Reibe Date: Fri, 26 Jun 2026 11:36:01 +0200 Subject: [PATCH 3/3] updated project name in tfvars example --- .../00-bootstrap/terraform.tfvars.example | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/terraform-pg-state-locking/00-bootstrap/terraform.tfvars.example b/examples/terraform-pg-state-locking/00-bootstrap/terraform.tfvars.example index d16ff30..a144c2d 100644 --- a/examples/terraform-pg-state-locking/00-bootstrap/terraform.tfvars.example +++ b/examples/terraform-pg-state-locking/00-bootstrap/terraform.tfvars.example @@ -15,7 +15,7 @@ stackit_organization_id = "" ## Name of the bootstrapping project -stackit_project_name = "01-example-project" +stackit_project_name = "00-bootstrap" # Email address of the STACKIT user set as project owner. stackit_org_admin = "